---
title: "Root Keys"
description: "Learn how root keys in the Unkey API work"
---

To interact with the Unkey API to manage resources such as APIs or keys, you need a `root key`.

`Root keys` are scoped per workspace and you can fine tune their access permissions when creating a key or update later on the fly.

<Note>
  It's a good practice to provide as few permissions as possible, to minimize the potential impact of a leaked key.
</Note>



<Steps>
<Step title="Start">


1. Go to [https://app.unkey.com](https://app.unkey.com) and sign in. 
2. Using the left sidebar menu navigate to `Settings`, then `Root Keys`.
3. Click the New root key button in the top right of the screen. 

You should see the following modal.

</Step>

<Step title="Name and Permissions">

<Frame>
<img src="/images/root-keys/rootkey-modal-start.png"/>
</Frame>

1. Optionally enter a name. This is internal only and not customer-facing.
2. Click the `Select Permissions...` button. 
3. Add your workspace-wide permissions. These permissions affect and override the per-API permissions below.
4. For each API in your workspace, you can enable fine-grained permissions.
5. Click `Create New Key` at the bottom.

<Frame>
<img src="/images/root-keys/rootkey-create.png"/>
</Frame>

</Step>

<Step title="Copy your key">

<Note>
Be sure to copy the key before closing the window. There is no way to recover it later
</Note>

<Frame>
<img src="/images/root-keys/copy.png"/>
</Frame>

</Step>
</Steps>

## What should I do if a root key is leaked?

If you leak a root key - for instance, by accidentally checking it in to version control - you should immediately revoke the root key and replace it with a new, secure key. Root keys are secrets, and should never be exposed publicly.
